top of page

Small businesses are a big interest in supply chain attacks

In the last few years there has been many large and well-known organisations that have fallen victim to substantial supply chain attacks, think British Airways and Ticketmaster. As an SME, you may be left thinking what impact does this have on my small business and surely, they were targeted because their profits are so high?

Regardless of whether you own a beauty salon, a plumbing and heating company or run a private gym, you will have a long list of suppliers that deliver everything from your booking, invoicing, and payment systems to supplying the refreshments that you provide to your customers. In fact, over 33% of businesses said they were not aware of how many external suppliers they use.

It is this long list of suppliers that makes SMEs more appealing to cybercriminals, as they can compromise multiple clients with one attack, giving cybercriminals the type of return on investment that they like to see.

So, why else are SMEs a key target for supply chain attacks?

  • SMEs are unlikely to have the resources and budgets to protect themselves, so they are often seen as steppingstones in the process of attacking a larger organisation.

  • Attackers have more resources and tools at their disposal than ever before, creating significant resilience challenges for small businesses like yours.

  • Only 4% of micro-businesses, 7% of SMEs and 15% of medium businesses have reviewed risks posed by their suppliers or partners showing that there is a lack of knowledge in understanding the dangers of a supply chain attack.

What could happen as a result of a supply chain attack on an SME?

Those behind cyber-attacks on SME’s are looking to make a financial profit at the expense of your company. Often hackers will steal your companies and customers data by deploying a ransomware attack, where your data is held at ransom, and you will be forced to pay a fee to regain access to that data. If that fee is paid, they will take this as profit and they could still sell your data to a buyer on the dark web where they will make further money.

Further financial damage and reputational damage may occur as a result of:

  • The cost of IT overtime to clean up and remediate an incident

  • The cost of hiring experts to investigate the incident

  • The cost of any potential lawsuits should employee or customer data be exposed in a breach

  • Any regulatory fines, for example General Data Protection Regulation (GDPR)

  • Brand and reputation damage leading to larger companies not working with your companies as part of their supply chain

  • Lost productivity for staff

  • Downtime and lost sales

To help businesses in the UK, the Government published new plans to boost the country’s digital supply chains. These plans revealed that almost a third of UK firms with digital supply chains are vulnerable to cyber-attacks.

What can SME businesses do to avoid a supply chain attack?

  • Make sure that your business is as cyber resilient as possible. Joining the WMCRC and achieving Cyber Essentials is a great first step if you are not sure about how to start.

  • Know who your suppliers are and ask them about their security. Look for businesses who have a cyber resilience accreditation, such as Cyber Essentials.

  • Ensure that your suppliers only have the access that they require. Assume that your supplier will get compromised, what is your plan when this happens?

  • Review what damage could be done if your suppliers are compromised. Is there any way to reduce the impact? Consider running business continuity exercises to test your business’ response.

  • Have a monitoring system in place to alert you if your anti malware software shuts down. Do you know how to check if yours is running?

  • Learn how to safeguard your most business critical and sensitive data by ensuring that your Security Policy is in tip top shape with our Security Policy review product.

How can The Cyber Resilience Centre for the West Midlands help businesses across the region?

Our mission is simple, we exist to help businesses of all sizes (although we do focus on SME’s, micro businesses, and sole traders) to better protect themselves in the fight against cybercrime. We do this by developing your knowledge in key areas so that you can implement basic methods of cyber hygiene. To help you guard your business from cyber-attacks in the same way you would protect your premises against fire and flood, we offer free membership. This gives you access to regular simple, easy to follow guidance, tools, and resources as well as the opportunity to have a jargon free 1:1 conversation to help you understand your current business cyber related risks. Join today at


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the West Midlands is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others.  Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the West Midlands provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.


The Cyber Resilience Centre for the West Midlands does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the West Midlands is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page